Dynamic Unauthorized Activity Detection and Control System

ABSTRACT

Systems for dynamically detecting and controlling unauthorized activity are presented. In some examples, a request for a withdrawal may be received by a self-service kiosk. A plurality of bills may be transferred from a storage area to a dispensing device of the self-service kiosk. In some examples, the plurality of bills may be scanned to capture data associated with each bill. This data may be stored in a bill identification database. An error notification may be received by the self-service kiosk from a user. In response, bills within the self-service kiosk may be scanned to identify unique identifiers associated with the bills in the self-service kiosk. If the bills identified as dispensed are present, an error or malfunction has occurred and a user account may be credited. If the bills are not present, the activity may be identified as unauthorized activity and one or more mitigating actions may be executed.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to co-pendingU.S. application Ser. No. 16/865,535, filed May 4, 2020, and entitled“Dynamic Unauthorized Activity Detection and Control System,” which isincorporated herein by reference in its entirety.

BACKGROUND

Aspects of the disclosure relate to electrical computers, systems, anddevices for dynamic unauthorized event detection and processingfunctions.

Unauthorized activity can occur during various types of event processingfunctions. However, when using automated systems, it is often easier toexecute unauthorized activity than when dealing with a person acting asan associate, customer service representative, or the like. Forinstance, when using a self-service kiosk, such as an automated tellermachine (ATM) or the like, a user may request a withdrawal and, in someinstances of unauthorized activity, may claim that the ATM did notdispense the funds or the full amount of the requested withdrawal. Inanother example of potential unauthorized activity, a user may deposititems into an ATM that are not valid items for deposit. In conventionalsystems, it may be difficult to detect these and similar types ofunauthorized activity in an efficient manner in order to executemitigating actions.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

Aspects of the disclosure provide effective, efficient, scalable, andconvenient technical solutions that address and overcome the technicalproblems associated with detecting and controlling response tounauthorized activity.

In some examples, a request for a withdrawal may be received by, forexample, a self-service kiosk. The request may include a request for anamount of currency. The request may be processed and a plurality ofbills corresponding to the amount of currency may be transferred from astorage area in the self-service kiosk to a dispensing device of theself-service kiosk. In some examples, the plurality of bills may bescanned to capture data associated with each bill, such as a uniqueidentifier, denomination, current location, time, date, and the like. Insome examples, an indication that the bills are being dispensed may becaptured. This data may be stored in a bill identification database thatmay store data associated with currency in circulation. By capturing andstoring the data associated with bills in circulation, a route ofcirculation associated with a bill may be determined and unauthorizedactivity patterns or events may be detected.

After transferring the bills for dispensing, an error notification maybe received by the self-service kiosk. In some examples, the errornotification may be received from a user and may indicate that the billswere not dispensed or the correct amount was not dispensed. In response,in some examples, bills within the self-service kiosk may be scanned toidentify unique identifiers associated with the bills in theself-service kiosk. If the bills identified as dispensed are present, anerror or malfunction has occurred and a user account may be credited. Ifthe bills are not present, the activity may be identified asunauthorized activity and one or more mitigating actions may beexecuted.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIGS. 1A and 1B depict an illustrative computing environment forimplementing dynamic unauthorized activity detection and controlfunctions in accordance with one or more aspects described herein;

FIGS. 2A and 2B depict schematic illustrations of a self-service kioskthat may be used in accordance with one or more aspects describedherein;

FIGS. 3A-3C depict an illustrative event sequence for capturing andstoring currency data in accordance with one or more aspects describedherein;

FIGS. 4A-4G depict an illustrative event sequence for implementingdynamic unauthorized activity detection and control functions inaccordance with one or more aspects described herein;

FIGS. 5A-5G depict an illustrative event sequence for implementingdynamic unauthorized activity detection and control functions inaccordance with one or more aspects described herein;

FIG. 6 depicts an illustrative method for implementing and using dynamicunauthorized activity detection and control functions according to oneor more aspects described herein;

FIG. 7 depicts an illustrative method for implementing and using dynamicunauthorized activity detection and control functions in accordance withone or more aspects described herein;

FIG. 8 illustrates one example user interface that may be generatedaccording to one or more aspects described herein;

FIG. 9 illustrates one example user interface that may be generatedaccording to one or more aspects described herein;

FIG. 10 illustrates one example environment in which various aspects ofthe disclosure may be implemented in accordance with one or more aspectsdescribed herein; and

FIG. 11 depicts an illustrative block diagram of workstations andservers that may be used to implement the processes and functions ofcertain aspects of the present disclosure in accordance with one or moreaspects described herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the present disclosure.

It is noted that various connections between elements are discussed inthe following description. It is noted that these connections aregeneral and, unless specified otherwise, may be direct or indirect,wired or wireless, and that the specification is not intended to belimiting in this respect.

As discussed above, unauthorized activity can occur through variouschannels. However, in some examples, it may be easier to executeunauthorized activity events at self-service kiosks, such as anautomated teller machine (ATM), automated teller assistant (ATA), or thelike. For instance, in some examples, an ATM may indicate that an amountof funds was dispensed, however, a user may claim that the funds werenot dispensed or that an incorrect amount was dispensed. In conventionalarrangements, the ATM does not have the capability to evaluate how muchwas dispensed, which bills of various denominations were dispensed, orthe like.

In another example of unauthorized activity conducted at a self-servicekiosk, a user may request a deposit and may insert one or more itemsinto an ATM for deposit. In some examples, the items inserted may not bevalid items for deposit. For instance, some unauthorized actors maydeposit standard paper, household items, or the like, into the ATM fordeposit. Conventional ATM arrangements do not have the capability toevaluate items being deposited for validity in order to thwartunauthorized activity or mitigate impact of the unauthorized activity.

Accordingly, aspects described herein are directed to providingadditional functionality at a self-service kiosk to detect and controlunauthorized activity. In some arrangements, a catalogue of currencybills may be built. The catalogue of currency bills may include adatabase storing a unique identifier associated with each bills (e.g., aserial number), a denomination, a current and/or previous location, andthe like. The catalogue of currency bills may receive input from aplurality of devices, channels, entities, and the like. For instance, afinancial institution may input data for one or more currency bills byscanning bills deposited at a self-service kiosk, by scanning billssubmitted for deposit to a banking associate, new bills received from afederal or governmental entity, and the like. In another example, aretail establishment may scan incoming and outgoing currency bills andthe data may be transmitted to the database for storage. Accordingly, adatabase of currency bills in circulation may be established andmaintained. This database may be used to detect unauthorized activitypatterns, detect unauthorized activity, and the like.

Further, aspects described herein are directed to detecting occurrencesof unauthorized activity quickly and efficiently and executingmitigating actions quickly and efficiently. For instance, by leveragingdata contained in the catalogue of currency, unauthorized activity maybe detected and controlled. For instance, a record of all bills within aself-service kiosk may be recorded (e.g., via the database storing thecatalogue of currency). When bills are dispensed, the details associatedwith each bill may be captured and used to update the database. Inarrangements in which a notification of error is received from a user, ascan of bills within the self-service kiosk may quickly confirm whetherbills were or were not dispensed. Further, image data may be used todetect cash jams, capture actions or behaviors or an unauthorized actor,or the like.

In another example, items submitted for deposit may be evaluated by theself-service kiosk to confirm that they do not include metal, plastic,or other materials not associated with valid items. Additional securityfeatures such as watermarks, embedded threads, and the like, may beevaluated. If unauthorized activity is determined or detected based onthe evaluation, one or more mitigating actions may be executed.

These and various other arrangements will be discussed more fully below.

FIGS. 1A-1B depict an illustrative computing environment forimplementing dynamic unauthorized activity detection and controlfunctions in accordance with one or more aspects described herein.Referring to FIG. 1A, computing environment 100 may include one or morecomputing devices and/or other computing systems. For example, computingenvironment 100 may include unauthorized activity detection and controlcomputing platform 110, self-service kiosk 120, internal computingsystem 2 125, external computing system 140, a first local usercomputing device 150, a second local user computing device 155, a firstremote user computing device 170, and a second remote user computingdevice 175. Although one self-service kiosk 120 is shown, moreself-service kiosks, as well as various types of self-service kiosks(e.g., automated teller machine (ATM), automated teller assistant (ATA),or the like), may be used without departing from the invention.Similarly, although one internal computing system 125, one externalcomputing system 140, two local user computing devices 150, 155 and tworemote user computing device 170, 175 are shown, more devices (or fewerdevices in some cases) may be used without departing from the invention.

Unauthorized activity detection and control computing platform 110 maybe configured to provide intelligent, dynamic, unauthorized activitydetection and control functions. Unauthorized activity detection andcontrol computing platform 110 may be a computer system that includesone or more computing devices (e.g., servers, server blades, or thelike) and/or other computer components (e.g., processors, memories,communication interfaces) that may be used to implement machine learningalgorithms, or the like to recognize patterns and generate or identifypotential unauthorized activity, execute one or more mitigating actions,and the like.

For instance, unauthorized activity detection and control computingplatform 110 may monitor user requested events (e.g., at a self-servicekiosk, at a banking branch location, or the like) and may execute one ormore functions to determine whether the event includes unauthorizedactivity. To facilitate evaluation of the events to determine whetherthey include unauthorized activity, a database of unique identifiers(e.g., serial numbers) associated with monetary or currency bills ofvarious denominations may be built. Building the database may includescanning each currency bill as is received or dispensed by an entity,such as a financial institution, retail establishment, or the like, todetermine the unique identifier, a denomination of the bill, a currentlocation of the bill, and the like. A database event may then begenerated and the information may be stored in the database. As billsare dispensed from the entity (e.g., via a banking associate event,self-service kiosk event, or the like), or as bills already registeredin the database are detected subsequent times, the database eventassociated with that currency bill (e.g. based on the unique identifier)may be updated to indicate that the bill has been dispensed from theentity, has been received by another entity, or the like. In someexamples, various entities (e.g., government entities, retail entities,financial institutions, and the like) may execute the scanning andstoring process such that the database of bills and associatedinformation and current location is robust. Accordingly, in an event ofunauthorized activity (e.g., misappropriate of funds, or the like)historical information associated with particular bills may be retrievedfrom the database and used to assist in identifying the funds,identifying patterns of unauthorized activity, and the like.

Additionally or alternatively, in some arrangements, a self-servicekiosk malfunction may cause requested funds to fail to be dispensed oronly partially dispensed. Accordingly, the unique identifiers of thebills to be dispensed may be compared by, for example, the unauthorizedactivity detection and control computing platform, to bills remaining inthe self-service kiosk to confirm whether a full amount was dispensed toa user and potential unauthorized activity is associated with a requestto correct the issue, or whether the event was a device malfunction anda credit is owed to the user.

In still other examples, a self-service kiosk may evaluate funds orother objects submitted for deposit to confirm that the deposit includesvalid items for deposit. For instance, deposited funds may be scanned toidentify the unique identifier and denomination of each bill (e.g., viaoptical character recognition). Additionally or alternatively, each billor other item received for deposit by the self-service kiosk may beevaluated by one or more sensors, image capture devices, or the like, todetermine whether it includes metal, plastic, or other non-currencypaper or fabric material that is not expected in a deposit of funds, todetermine whether appropriate security measures, such as watermarks, inkcolor, embedded threads, and the like, are intact, and the like. Thisdata may be used by the unauthorized activity detection and controlcomputing platform 110 to detect potential unauthorized activity andidentify and/or execute one or more mitigation actions to reduce oreliminate impact of the unauthorized activity (e.g., modifyingfunctionality of the self-service kiosk, locking one or more useraccounts, initiating or activating additional data or image capturedevices to obtain additional information, and the like).

As discussed above, self-service kiosk may include any type ofself-service kiosk, such as an ATM, ATA, or the like, and may form partof a same device as the unauthorized activity detection and controlcomputing platform 110. Additionally or alternatively, a self-servicekiosk and the unauthorized activity detection and control computingplatform 110 may be physically separate devices that are in wired orwireless communication or are otherwise connected.

Internal computing system 125 may include one or more computing devices,systems, servers, computing platforms, or the like, internal to theenterprise or organization implementing the unauthorized activitydetection and control computing platform 110. For instance, internalcomputing system 125 may include account information associated with aplurality of users or customers of the enterprise. In some examples,internal computing system 125 may execute one or more authenticationfunctions associated with a user requesting an event or transaction at aself-service kiosk, or the like. Internal computing system 125 may hostor execute one or more applications configured to execute events, suchas requested transactions.

External computing system 140 may include one or more computing devices,systems, servers, computing platforms, or the like, that are external tothe entity or enterprise organization implementing the unauthorizedactivity detection and control computing platform 110. For instance,external computing system 140 may be associated with another financialinstitution, retail establishment, or the like, and may communicate withunauthorized activity detection and control computing platform 110 totransmit and receive data associated with one or more bills beingcatalogued in the database. Additionally or alternatively, externalcomputing system 140 may receive one or more notifications associatedwith potential unauthorized activity.

Local user computing device 1 150 and local user computing device 2 155may be enterprise computing devices in communication with one or moreother computing devices or systems. For instance, local user computingdevice 1 150 and/or local user computing device 2 155 may be computingdevices configured to communicate with unauthorized activity detectionand control computing platform 110 to receive and display one or moreidentified occurrences of unauthorized activity, information associatedwith the activity, and the like. In some examples, one or more of localuser computing device 1 150 and/or local user computing device 2 155 maybe computing devices associated with banking associates at a bankinglocation or branch. Local user computing device 1 150 and/or local usercomputing device 2 155 may be used to facilitate capture of uniqueidentifiers associated with bills being received by the enterprise,being dispensed by the enterprise, and the like. Local user computingdevice 1 150 and/or local user computing device 2 155 may further becomputing devices configured to control parameters associated withaspects of unauthorized activity detection and control computingplatform 110 (e.g., mitigation actions taken, notifications sent, or thelike), may display one or more notifications, and the like. In someexamples, local user computing device 1 150 and/or local user computingdevice 2 155 may further comprise a self-service kiosk.

Remote user computing device 1 170 and remote user computing device 2175 may be computing devices associated with a user outside of theenterprise and may, in some examples, be user computing devices (e.g.,desktop computers, laptop computers, tablet computers, smartphones, andthe like) that may be used to, for instance, authenticate a user to aself-service kiosk (e.g., via multi-factor authentication, transmissionof authentication data from the remote user computing device 1 170and/or remote user computing device 2 175 to the self-service kiosk, orthe like). In some examples, remote user computing device 1 170 and/orremote user computing device 2 175 may receive and display one or morenotifications generate and/or transmitted by the unauthorized activitydetection and control computing platform 110.

Computing environment 100 also may include one or more computingplatforms. For example, and as noted above, computing environment 100may include unauthorized activity detection and control computingplatform 110. As illustrated in greater detail below, unauthorizedactivity detection and control computing platform 110 may include one ormore computing devices configured to perform one or more of thefunctions described herein. For example, unauthorized activity detectionand control computing platform 110 may include one or more computers(e.g., laptop computers, desktop computers, servers, server blades, orthe like).

As mentioned above, computing environment 100 also may include one ormore networks, which may interconnect one or more of unauthorizedactivity detection and control computing platform 110, self-servicekiosk 120, internal computing system 125, external computing system 140,local user computing device 150, local user computing device 155, remoteuser computing device 170, and/or remote user computing device 175. Forexample, computing environment 100 may include private network 190 andpublic network 195. Private network 190 and/or public network 195 mayinclude one or more sub-networks (e.g., Local Area Networks (LANs), WideArea Networks (WANs), or the like). Private network 190 may beassociated with a particular organization or enterprise (e.g., acorporation, financial institution, educational institution,governmental institution, or the like) and may interconnect one or morecomputing devices associated with the organization. For example,unauthorized activity detection and control computing platform 110,self-service kiosk 120, internal computing system 125, local usercomputing device 150, and local user computing device 155, may beassociated with an organization or enterprise (e.g., a financialinstitution), and private network 190 may be associated with and/oroperated by the organization, and may include one or more networks(e.g., LANs, WANs, virtual private networks (VPNs), or the like) thatinterconnect unauthorized activity detection and control computingplatform 110, self-service kiosk 120, internal computing system 125,local user computing device 150, local user computing device 155, andone or more other computing devices and/or computer systems that areused by, operated by, and/or otherwise associated with the organizationor enterprise. Public network 195 may connect private network 190 and/orone or more computing devices connected thereto (e.g., unauthorizedactivity detection and control computing platform 110, self-servicekiosk 120, internal computing system 125, local user computing device150, local user computing device 155) with one or more networks and/orcomputing devices that are not associated with the organization. Forexample, external computing system 140, remote user computing device170, remote user computing device 175, might not be associated with anorganization or enterprise that operates private network 190 (e.g.,because external computing system 140, remote user computing device 170,and/or remote user computing device 175, may be owned, operated, and/orserviced by one or more entities different from the organization thatoperates private network 190, one or more customers of the organization,one or more employees of the organization, public or governmententities, and/or vendors of the organization, rather than being ownedand/or operated by the organization itself), and public network 195 mayinclude one or more networks (e.g., the internet) that connect externalcomputing system 140, remote user computing device 170, and/or remoteuser computing device 175, to private network 190 and/or one or morecomputing devices connected thereto (e.g., unauthorized activitydetection and control computing platform 110, self-service kiosk 120,internal computing system 125, local user computing device 150, localuser computing device 155). In some examples, unauthorized activitydetection and control computing platform 110 may communicate withexternal computing system 140, remote user computing device 170, 175(e.g., via public network 195) to receive and transmit unique identifierand additional data associated with one or more bills, transmitnotifications, and the like.

Referring to FIG. 1B, unauthorized activity detection and controlcomputing platform 110 may include one or more processors 111, memory112, and communication interface 113. A data bus may interconnectprocessor(s) 111, memory 112, and communication interface 113.Communication interface 113 may be a network interface configured tosupport communication between unauthorized activity detection andcontrol computing platform 110 and one or more networks (e.g., privatenetwork 190, public network 195, or the like). Memory 112 may includeone or more program modules having instructions that when executed byprocessor(s) 111 cause unauthorized activity detection and controlcomputing platform 110 to perform one or more functions described hereinand/or one or more databases that may store and/or otherwise maintaininformation which may be used by such program modules and/orprocessor(s) 111. In some instances, the one or more program modulesand/or databases may be stored by and/or maintained in different memoryunits of unauthorized activity detection and control computing platform110 and/or by different computing devices that may form and/or otherwisemake up unauthorized activity detection and control computing platform110.

For example, memory 112 may have, store and/or include scanning module112 a. Scanning module 112 a may store instructions and/or data that maycause or enable the unauthorized activity detection and controlcomputing platform 110 to scan one or more bills, extract data (e.g.,unique identifier, denomination, and the like) using, for example,optical character recognition, and transmit the scanned data, as well asadditional data (e.g., location, time, date, and the like) for storagein, for example, database 112 f. Scanning module 112 a may also includeinstructions and/or data that may cause or enable the unauthorizedactivity detection and control computing platform 110 to scan orotherwise evaluate items inserted into a self-service kiosk for depositto determine whether it is a valid deposit of funds. For instance,scanning module 112 a may execute one or more scans to detect metal orother particles or materials not associated with valid currency, detectwatermarks, embedded threads, and the like. In some arrangements,scanning module 112 a may generate and transmit one or more instructionsor commands to another computing device, such as self-service kiosk 120,local user computing device 150, local user computing device 155, toactivate one or more scanning devices, image capture devices, metaldetecting devices, and the like, and execute a data capture option viathe scanning device or similar devices.

Unauthorized activity detection and control computing platform 110 mayfurther have, store and/or include image capture device/sensor controlmodule 112 b. Image capture device/sensor control module 112 b may storeinstructions and/or data that may activate or initiate operation of oneor more image capture devices and/or sensors based on occurrence of atriggering event. For instance, if an object inserted into aself-service kiosk 120 includes metal or other materials not associatedwith valid currency, image capture device/sensor control module 112 bmay generate and/or transmit a signal to the self-service kiosk toactivate or initiate operation of one or more additional image captureand/or sensing devices to capture additional data, images, video, andthe like, associated with the deposit in an effort to evaluate thedeposit for potential unauthorized activity, identify a user associatedwith the event, and the like.

Unauthorized activity detection and control computing platform 110 mayfurther have, store and/or include data analysis module 112 c. Dataanalysis module 112 c may store instructions and/or data that may causeor enable unauthorized activity detection and control computing platform110 to evaluate data received, determine whether unauthorized activityhas occurred, identify one or more mitigation actions for execution, andthe like. For instance, data analysis module 112 c may analyze datareceived from one or more image capture, scanning devices, sensors, orthe like, to determine whether a deposit includes valid currency bills.In another example, data analysis module 112 c may compare uniqueidentifiers of currency bills within a self-service kiosk to thosedesignated as dispensed to determine whether the currency bills were, infact, dispensed from the self-service kiosk or whether unauthorizedactivity has occurred.

In some example, data analysis module 112 c may use machine learning toevaluate data received in order to detect unauthorized activity.Accordingly, unauthorized activity detection and control computingplatform 110 may have, store and/or include a machine learning engine112 d and machine learning datasets 112 e. Machine learning engine 112 dmay store instructions and/or data that may cause or enable unauthorizedactivity detection and control computing platform 110 to analyze data toidentify patterns or sequences, e.g., based on and machine learningdatasets 112 e, within the data to determine or predict thatunauthorized activity has occurred or may occur. For instance, ifcurrency bills are obtained through unauthorized activity, machinelearning may be used to detect what other currency bills were obtainedbased on, for example, the unique identifier associated with one or morebills, previously stored location data, and the like. In anotherexample, because the scale of cataloguing and tracking currency bills ofvarious denominations is overwhelming, machine learning may be used totrack and predict locations of one or more bills, identify patterns thatmay indicate unauthorized activity (e.g., repeated requests forwithdrawals of a same or similar amount in a particular geographic area,or the like). The machine learning datasets 112 e may be generated basedon analyzed data (e.g., data from previously received data, and thelike), raw data, and/or received from one or more outside sources.

The machine learning engine 112 d may receive data and, using one ormore machine learning algorithms, may generate one or more machinelearning datasets 112 e. Various machine learning algorithms may be usedwithout departing from the invention, such as supervised learningalgorithms, unsupervised learning algorithms, regression algorithms(e.g., linear regression, logistic regression, and the like), instancebased algorithms (e.g., learning vector quantization, locally weightedlearning, and the like), regularization algorithms (e.g., ridgeregression, least-angle regression, and the like), decision treealgorithms, Bayesian algorithms, clustering algorithms, artificialneural network algorithms, and the like. Additional or alternativemachine learning algorithms may be used without departing from theinvention.

As indicated above, unauthorized activity detection and controlcomputing platform 110 may further have, store and/or include database112 f. The database 112 f may store data associated with a plurality ofcurrency bills (e.g., a catalogue of bills in circulation) and mayinclude a unique identifier associated with each bill (e.g., a serialnumber), a denomination of each bills, a current or previouslyidentified location, an action data associated with each bill (e.g.,when and where dispensed by a banking associate, a self-service kiosk,or the like). As new bills are received and scanned, the database may bemodified to add or generate a new database event or entry to store dataassociated with the newly received bill.

FIGS. 2A and 2B illustrate schematic views of one example self-servicekiosk, such as an ATM, ATA, or the like. FIG. 2A illustrates oneschematic view of an exterior of the self-service kiosk 120, while FIG.2B is an interior view of self-service kiosk 120. The arrangement ofcomponents described with respect to FIGS. 2A and 2B is merely onearrangement and other arrangements of components, including more orfewer components, may be used without departing from the invention.

With reference to FIG. 2A, a schematic view of an exterior (e.g., front)of one example self-service kiosk 120 is shown. The self-service kiosk120 may include a display 202 that may include a touch screen to enableuser input. Additionally or alternatively, the self-service kiosk mayinclude a keypad 204 or one or more other user input devices.

Self-service kiosk 120 may further include a dispensing device 206.Dispensing device 206 may include one or more slots and/retractablecovers through which currency bills (and, in some examples, coins) aredispensed. Accordingly, when a user requests a withdrawal of an amountof funds, the funds may be dispensed to the user via the dispensingdevice 206.

Additionally or alternatively, self-service kiosk 120 may include one ormore image capture and/or sensing devices 210. For instance, a pluralityof image capture and/or sensing devices 210 may be distributed on oraround the self-service kiosk 120 to capture images, video, and/or dataassociated with a user, requested event or transaction, or the like.Although three image capture and/or sensing devices 210 a, 210 b, and210 c are shown, more of fewer devices may be used without departingfrom the invention.

The image capture and/or sensing devices 210 may each be a same type ofdevices or may include different types of devices. For instance, one ormore of the image capture and/or sensing devices 210 may include cameras(e.g., to capture one or more of still images and/or video images),motion sensors, light sensors, or the like. The image capture and/orsensing devices 210 may be continuously activated, may be activated upondetecting a user (e.g., via motion or the like), may be activated uponinitiation of a transaction or event (e.g., a user inserting a card,entering a personal identification number, or the like), upon detectinga presence of a mobile device of a user, or the like. Additionally oralternatively, one or more of image capture and/or sensing devices 210a, 210 b, 210 c may be activated based on a triggering event (e.g.,detection of a deposit including material not associated with validcurrency, detection of a report of malfunction of the self-servicekiosk, or the like). Further, in some arrangements, one or more of imagecapture and/or sensing devices 210 a, 210 b, 210 c may continuouslycapture data and record the data. The data may be stored for apre-determined time period (e.g., 24 hours, one week, or the like) toenable the system to retrieve data from a particular time period orevent to determine whether unauthorized activity occurred.

Self-service kiosk 120 may also include a deposit slot or device 208.The deposit slot or device 208 may be configured to receive currency,checks, or the like, for deposit in the self-service kiosk 120 from auser. The deposit slot or device 208 may include an aperture extendingfrom an exterior of the self-service kiosk 120 to an interior and itemssubmitted via deposit slot 208 may be stored in an interior compartmentof self-service kiosk 120.

FIG. 2B is a schematic of an interior of self-service kiosk 120. Theself-service kiosk 120 may include a computing device, system, platformor the like 216. The computing device 216 may include one or morecomponents similar to other computing devices described herein and mayinclude processor to control operation of the self-service kiosk,receive instructions or commands from another computing device, systemor platform, such as unauthorized activity detection and controlcomputing platform 110, or the like. The computing device may include amemory storing one or more applications executing on the self-servicekiosk.

Further, self-service kiosk may include a storage area or device 212.The storage area or device may include one storage portion or more thanone portion storing different types of currency (e.g., bills vs. coins),storing different denominations of currency, storing currency receivedfrom a user, storing currency to be dispensed to a user, and the like.The storage portion 212 may include a scanning device 214 a. Thescanning device 214 a may execute a scanning process on currency billsas they are received by the self-service kiosk (e.g., when funds aredeposited by a user, when the self-service kiosk is replenished by abanking associate, or the like). The scanning device 214 a may useoptical character recognition to detect a unique identifier associatedwith each currency bill and/or a denomination of each currency bill. Thescanning device 214 a may transmit the data to the computing device 216or directly to the unauthorized activity detection and control computingplatform 110. The scanned data may be stored with additional datarelated to each bill, such as a current location of the bill (e.g., byself-service kiosk identifier), a time and date at which the bill wasscanned at the current location, and the like.

In some examples, scanning device 214 a may further include devicesconfigured to evaluate items received for deposit by the self-servicekiosk 120 to evaluate them to determine whether they include validcurrency. For instance, scanning device 214 a may include a scanningdevice to detect metals or other materials that are not associated withvalid paper currency. Some unauthorized actors may insert metal objectsinto a deposit slot. When unauthorized activity of this nature occurs,the scanning device 214 a may quickly identify the deposited items asinvalid items for deposit (e.g., not valid currency, checks, or thelike) and, based on the detected invalid items, one or more sensingdevices may be activated, an account may be locked, functionality of theself-service kiosk 120 may be modified, or the like.

Sensing device 214 a may also evaluate deposited items to determinewhether appropriate watermarks exist on currency, whether embeddedthreads are present in expected locations, and the like, to verify thatthe currency is valid prior to crediting a user's account and, in manyexamples, while a user is present at the self-service kiosk 120 in orderto capture additional information about the user (e.g., for use indetecting unauthorized activity and mitigating impact associated withthe activity).

As discussed with respect to FIG. 2A, self-service kiosk 120 includes adispensing device 206. Dispensing device 206 may extend from an interiorof the self-service kiosk 120 to an exterior in order to dispensecurrency requested by a user. In some examples, another scanning device214 b may be positioned at or near the dispensing device 214 b in orderto capture data associated with bills being dispensed (e.g., uniqueidentifier, denomination, date, time, and the like). This informationmay then be used to update the database entry associated with each billto indicate that it was dispensed from the self-service kiosk 120.

In some examples, the scanning devices 214 a and 214 b may be used toscan bills within the self-service kiosk to determine whether amalfunction or error occurred in dispensing bills. For instance, ifbills were selected for dispensing and were scanned by, for instance,scanning device 214 b, if a malfunction or other error is reported, theself-service kiosk may scan bills near the dispensing device 206 and/orwithin storage area 212 to determine whether the bills were, in fact,dispensed and the report is unauthorized activity, or whether amalfunction did occur.

Interior of self-service kiosk 120 may further include a plurality ofimage capture and/or sensing devices 210 d, 210 e, and/or 210 f.Although three devices are shown, more or fewer may be used withoutdeparting from the invention. Similar to the image capture and/orsensing devices 210 a, 210 b, and/or 210 c arranged on the exterior ofthe self-service kiosk 120, image capture and/or sensing devices 210 d,210 e, 210 f may be distributed on or around the interior of theself-service kiosk 120 to capture images, video, and/or data associatedwith currency within the self-service kiosk, items submitted fordeposit, and the like. Although three image capture and/or sensingdevices 210 d, 210 e, and 210 f are shown, more of fewer devices may beused without departing from the invention.

The image capture and/or sensing devices 210 d, 210 e, 210 f may each bea same type of devices or may include different types of devices. Forinstance, one or more of the image capture and/or sensing devices 210 d,210 e, 210 f may include cameras (e.g., to capture one or more of stillimages and/or video images), motion sensors, light sensors, or the like.The image capture and/or sensing devices 210 d, 210 e, 210 f may becontinuously activated, may be activated upon detecting a user (e.g.,via motion or the like), may be activated upon initiation of atransaction or event (e.g., a user inserting a card, entering a personalidentification number, or the like), upon detecting a presence of amobile device of a user, or the like. Additionally or alternatively, oneor more of image capture and/or sensing devices 210 d, 210 e, 210 f maybe activated based on a triggering event (e.g., detection of a depositincluding material not associated with valid currency, detection of areport of malfunction of the self-service kiosk, or the like). Further,in some arrangements, one or more of image capture and/or sensingdevices 210 d, 210 e, 210 f may continuously capture data and record thedata. The data may be stored for a pre-determined time period (e.g., 24hours, one week, or the like) to enable the system to retrieve data froma particular time period or event to determine whether unauthorizedactivity occurred.

In some arrangements, image capture and/or sensing devices 210 d, 210 e,210 f may also detect or evaluate features of items submitted fordeposit (e.g., in conjunction with or instead of scanning device 214 a).For instance, image capture and/or sensing devices 210 d, 210 e, 210 fmay include metal detection capabilities, and the like, to evaluateitems submitted for deposit.

FIGS. 3A-3C depict one example illustrative event sequence forgenerating a currency catalogue for use in detecting and controllingunauthorized activity in accordance with one or more aspects describedherein. The events shown in the illustrative event sequence are merelyone example sequence and additional events may be added, or events maybe omitted, without departing from the invention.

With reference to FIG. 3A, at step 301, currency bills may be receivedby, for example, a self-service kiosk 120. Currency bills of variousdenominations may be received (e.g., via deposits from users) at aplurality of self-service kiosks. In response to receiving the bills,the bills may be scanned at step 302. For instance, optical characterrecognition may be used to identify and capture a unique identifier(e.g., serial number) associated with each bill and/or a denomination ofeach bill. In some examples, the scanned bills may also be evaluated todetermine whether they are valid currency (e.g., do not include metal orother materials not associated with valid currency, include appropriatewatermarks and/or embedded threads, include proper ink and/or coloring,and the like).

At step 303, additional data associated with each bill may be captured.For instance, a location of the self-service kiosk 120 at which the billwas received, a date, a time, and the like, may be captured andassociated with each bill.

At step 304, a connection may be established between the self-servicekiosk 120 and the unauthorized activity detection and control computingplatform 110. For instance, a first wireless connection may beestablished between the unauthorized activity detection and controlcomputing platform 110 and self-service kiosk 120. Upon establishing thefirst wireless connection, a communication session may be initiatedbetween unauthorized activity detection and control computing platform110 and self-service kiosk 120.

At step 305, results of the scan and the additional data may betransmitted from the self-service kiosk 120 to the unauthorized activitydetection and control computing platform 110. For instance, results ofthe scan (e.g., unique identifier, denomination, and the like), as wellas the captured additional information (e.g., location, date, time, andthe like) may be used to generate current bill data that may betransmitted from the self-service kiosk 120 to the unauthorized activitydetection and control computing platform 110 (e.g., during thecommunication session initiated upon establishing the first wirelessconnection.

With reference to FIG. 3B, at step 306, the current bill data, includingthe scan results and additional information, may be received by theunauthorized activity detection and control computing platform 110 andstored in a database. For instance, a database structure may be modifiedto add an additional event including the identified bill, and the like.In some examples, if the bill was previously scanned and stored, a newentry might not be created and, instead, the additional data (e.g.,location, time, date, and the like) may be used to update the previousdatabase entry. In some examples, updating the previous database entrymay include overwriting previous additional data elements to reflect thecurrent data. In other examples, the additional data may be cumulative(e.g., additional data elements may be associated with the bill) toprovide tracking of previous locations of a bill (e.g., the circulationroute of the bill).

At step 307, currency bills may be received by, for example, a bankinglocation, such as via an event or transaction conducted by a bankingassociate via local user computing device 150. Currency bills of variousdenominations may be received (e.g., via deposits from users) at aplurality of local user computing devices associated with a plurality ofbanking associates at a plurality of banking locations.

In response to receiving the bills, the bills may be scanned at step308. For instance, optical character recognition may be used to identifyand capture a unique identifier (e.g., serial number) associated witheach bill and/or a denomination of each bill. In some examples, thescanned bills may also be evaluated to determine whether they are validcurrency (e.g., include appropriate watermarks and/or embedded threads,include proper ink and/or coloring, and the like).

At step 309, additional data associated with each bill may be captured.For instance, a banking location of the banking associated andassociated local user computing device 150 at which the bill wasreceived, a date, a time, and the like, may be captured and associatedwith each bill.

At step 310, a connection may be established between the local usercomputing device 150 and the unauthorized activity detection and controlcomputing platform 110. For instance, a second wireless connection maybe established between the unauthorized activity detection and controlcomputing platform 110 and local user computing device 150. Uponestablishing the second wireless connection, a communication session maybe initiated between unauthorized activity detection and controlcomputing platform 110 and local user computing device 150.

With reference to FIG. 3C, at step 311, results of the scan and theadditional data may be transmitted from the local user computing device150 to the unauthorized activity detection and control computingplatform 110. For instance, results of the scan (e.g., uniqueidentifier, denomination, and the like), as well as the capturedadditional information (e.g., location, date, time, and the like) may beused to generate current bill data that may be transmitted from localuser computing device 150 to the unauthorized activity detection andcontrol computing platform 110 (e.g., during the communication sessioninitiated upon establishing the second wireless connection.

At step 312, the current bill data, including the scan results andadditional information, may be received by the unauthorized activitydetection and control computing platform 110 and stored in a database.For instance, a database structure may be modified to add an additionalevent including the identified bill, and the like. In some examples, ifthe bill was previously scanned and stored, a new entry might not becreated and, instead, the additional data (e.g., location, time, date,and the like) may be used to update the previous database entry. In someexamples, updating the previous database entry may include overwritingprevious additional data elements to reflect the current data. In otherexamples, the additional data may be cumulative (e.g., additional dataelements may be associated with the bill) to provide tracking ofprevious locations of a bill (e.g., the circulation route of the bill).

FIGS. 4A-4G depict one example illustrative event sequence fordynamically detecting unauthorized activity in accordance with one ormore aspects described herein. The events shown in the illustrativeevent sequence are merely one example sequence and additional events maybe added, or events may be omitted, without departing from theinvention.

At step 401, a request for access may be received by, for example, aself-service kiosk 120, such as an ATM, ATA or the like. In someexamples, the request for access may include detecting a presence of auser at the self-service kiosk 120 (e.g., based on detection of a signalassociated with a mobile device of the user, detecting motion of a uservia a motion sensor, or the like), and/or may include receiving, forexample, user input requesting the event, such as inserting a card intothe self-service kiosk 120. The request for access may prompt one ormore authentication processes to execute.

At step 402, authentication information may be received from the user.For instance, a user may input a password, personal identificationnumber (PIN), biometric data, or the like. The authenticationinformation may be provided via a user input device on the self-servicekiosk 120 and/or via a mobile device of the user, such as remote usercomputing device 170.

At step 403, a connection may be established between self-service kiosk120 and internal computing system 125. For instance, a first wirelessconnection may be established between internal computing system 125 andself-service kiosk 120. Upon establishing the first wireless connection,a communication session may be initiated between internal computingsystem 125 and self-service kiosk 120.

At step 404, the received authentication data may be transmitted fromthe self-service kiosk 120 to internal computing system 125 forverification. At step 405, the authentication data may be received byinternal computing system 125 and processed. For instance, processingthe authentication data may include comparing the receivedauthentication data to pre-stored authentication data associated with auser (e.g., based on a card inserted into self-service kiosk 120, basedon a mobile device detected, or the like).

With reference to FIG. 4B, at step 406, the internal computing system125 may generate authentication response data based on the processingperformed at step 405. For instance, if the authentication data receiveddoes not match pre-stored data, authentication response data denying therequested event or transaction may be generated. Alternatively, if thereceived authentication data matches the pre-stored data, authenticationresponse data authenticating the user may be generated.

At step 407, the authentication response data may be transmitted fromthe internal computing system 125 to the self-service kiosk 120. At step408, the authentication response data may be received by theself-service kiosk 120.

At step 409, if the authentication response data authenticates the user,functionality associated with the self-service kiosk 120 may beinitiated, activated or enabled. For instance, event or transactionprocessing functions may be initiated, activated or enabled based on theuser being authenticated.

At step 410, a request for an event or transaction may be received bythe self-service kiosk 120. For instance, user input may be received bythe self-service kiosk 120 requesting processing of one or more eventsor transactions. In some examples, the request for an event ortransaction may include a withdrawal request including a request forwithdrawal of currency funds including one or more currency bills fromthe self-service kiosk 120 and corresponding to a modification oradjustment to a user account (e.g., a debit from the user's account maybe made based on the requested withdrawal amount).

At step 411, one or more bills for dispensing may be identified. Forinstance, the self-service kiosk 120 may store a plurality of bills fordispensing. As discussed herein, the bills may be scanned and cataloguedsuch that a location of the bills in the self-service kiosk 120 isstored in a database. When a request for a withdrawal is received, oneor more bills corresponding to a requested amount of the withdrawal maybe identified for dispensing. In identifying the bills, the bills may bescanned or otherwise detected by the self-service kiosk 120 as beingdispensed. Scanning the bills may include capturing the uniqueidentifier and/or denomination, as well as capturing additionalinformation such as the date, time and/or location associated withdispensing the bills.

With reference to FIG. 4C, at step 412, a connection may be establishedbetween self-service kiosk 120 and unauthorized activity detection andcontrol computing platform 110. For instance, a second wirelessconnection may be established between unauthorized activity detectionand control computing platform 110 and self-service kiosk 120. Uponestablishing the second wireless connection, a communication session maybe initiated between unauthorized activity detection and controlcomputing platform 110 and self-service kiosk 120.

At step 413, data associated with the bills being dispensed may betransmitted from the self-service kiosk 120 to the unauthorized activitydetection and control computing platform 110. For instance, dataassociated with the unique identifier and/or denomination of the bills,and/or additional information captured, may be transmitted from theself-service kiosk 120 to the unauthorized activity detection andcontrol computing platform 110. In some examples, the data may betransmitted during the communication session initiated upon establishingthe second wireless connection.

At step 414, the data associated with the bills being dispensed may bereceived and, at step 415, the data may be processed to update one ormore database entries associated with each bill being dispensed. Forinstance, the unique identifier associated with each bill beingdispensed may be used as a query to identify database entries associatedwith each bill. Data elements associated with the database entry maythen be modified or updated to include the data associated withdispensing the bills.

At step 416, the bills may be dispensed by the self-service kiosk 120.For instance, the bills may be transferred from the storage area ofself-service kiosk 120 to the dispensing device and dispensed to therequesting user.

At step 417, a notification of error may be received by the self-servicekiosk 120. For instance, in some examples, a malfunction of theself-service kiosk 120 may occur and bills indicated as dispensed mightnot actually be dispensed to the user. In another example, a differentamount of funds than the requested amount may be dispensed to the user.Accordingly, in these arrangements, the user may provide user input tothe self-service kiosk 120 (or other enterprise unit) of themalfunction. However, in some examples, unauthorized users, or usersexecuting unauthorized activity, may indicate that an error has occurredwhen, in fact, the correct amount was dispensed.

With reference to FIG. 4D, at step 418, the received notification oferror may be transmitted from the self-service kiosk 120 to theunauthorized activity detection and control computing platform 110. Insome examples, the notification of error may be transmitted during thecommunication session initiated upon establishing the second wirelessconnection. In other examples, another wireless connection may beestablished and another communication session may be initiated.

At step 419, one or more instructions or commands for capturingadditional data may be generated. For instance, based on thenotification of error, which may include additional details about a typeof error, or the like, one or more instructions or commands to captureadditional data may be generated by the unauthorized activity detectionand control computing platform 110. In some examples, the instructionsfor capturing additional data may include an instruction to transmit,from one or more image capture and/or sensing devices at theself-service kiosk 120, data, such as image data, video data, and thelike. Additionally or alternatively, the one or more instructions orcommands may include an instruction or command to activate one or moreadditional image capture and/or sensing devices and transmit thecaptured data from additional image capture/sensing device of theself-service kiosk 120 to the unauthorized activity detection andcontrol computing platform 110. In some arrangements, this may includeactivating recording and/or image capture associated with one or moredevices on an exterior of the self-service kiosk 120 and/or one or moredevices on an interior of the self-service kiosk. In some arrangements,the instruction or command may include an instruction to scan all billswithin the self-service kiosk 120 in order to inventory the billsremaining in the self-service kiosk. The unauthorized activity detectionand control computing platform 110 may then search for the uniqueidentifier associated with the bills identified as dispensed. If thebills are detected during the scan, the self-service kiosk 120 may havemalfunctioned. If the bills are not detected, the bills may have beendispensed and the notification of error may include unauthorizedactivity.

At step 420, the commands or instructions to capture additional data maybe transmitted from the unauthorized activity detection and controlcomputing platform 110 to the self-service kiosk 120. In some examples,the generated instructions or commands may be transmitted during thecommunication session initiated upon establishing the second wirelessconnection. In other examples, another wireless connection may beestablished and another communication session may be initiated.

At step 421, the commands or instructions to capture additionalinformation may be received by the self-service kiosk 120 and executed.For instance, at step 422, an instruction or command to scan billswithin the self-service kiosk 120 may be executed. As discussed, thebills within the self-service kiosk 120 may be scanned to perform aninventory. As described herein, the inventory may be used to confirmwith the bills identified as dispensed we actually dispensed or whetheran error occurred.

In another example, at step 423, an instruction or command to activateone or more additional image capture and/or sensing devices may beexecuted. For instance, one or more additional image capture and/orsensing devices located on an interior or exterior of the self-servicekiosk 120 may be activated. In some examples, activating devices on anexterior of the self-service kiosk 120 may aid in capturing images orbehavior of the user to determine whether unauthorized activity hasoccurred or is occurring, to aid in identifying the user executing theunauthorized activity (e.g., in cases where the user may beauthenticated using credentials obtained through unauthorized activity,or the like). In some examples, image capture and/or sensing devices onan interior of the self-service kiosk 120 may be activated in order todetermine whether a jam occurred in one or more systems of theself-service kiosk (e.g., in transfer from the storage area to thedispensing device), whether bills are stuck in a dispensing device, orthe like. In some examples, image capture devices may include one ormore of still and/or video images. Sensing devices may include one ormore of pressure sensing devices, motion detecting devices, and thelike.

With reference to FIG. 4E, in another example, at step 424, aninstruction or command to retrieve captured images may be executed. Forinstance, self-service kiosk 120 may have one or more image capturedevices that may continuously capture image data, may automaticallyactivate upon detecting a user, or the like. Images captured by thesedevices may be retrieved based on the instruction executed.

Although this example includes execution of instructions to retrieveimages, scan bills and activate additional devices, in some examples,fewer instructions or commands may be generated or executed. Further, insome examples, machine learning may be used to identify particularinstructions or commands to generate and execute. For instance, based ondetails of the error received, machine learning may be used to identifypatterns in data in order to identify particular instructions forgeneration or execution in order to efficiently obtain information todetect unauthorized activity.

At step 425, additional information response data may be generated. Forinstance, results of any instructions or commands executed by theself-service kiosk 120 may be used to generate additional informationresponse data. Accordingly, the additional information response data mayinclude retrieved images, images captured by newly activated devices,results of the scan of bills, and the like.

At step 426, the additional information response data may be transmittedfrom the self-service kiosk 120 to the unauthorized activity detectionand control computing platform 110. In some examples, the additionalinformation response data may be transmitted during the communicationssession initiated upon establishing the second wireless connection. Inother examples, another wireless connection may be established andanother communication session may be initiated.

At step 427, the additional information response data may be received bythe unauthorized activity detection and control computing platform 110and analyzed. For instance, results of the inventory scan may beanalyzed to determine whether, based on the unique identifier, the billsidentified as dispensed are still within the self-service kiosk 120.Additionally or alternatively, images may be analyzed to determinewhether a jam has occurred (e.g., in transfer between storage anddispensing, at the dispensing device, or the like).

At step 428, based on the analysis of the additional informationresponse data, the unauthorized activity detection and control computingplatform 110 may determine whether unauthorized activity occurred. Forinstance, based on the inventory scan results, analysis of image data,and the like, a determination may be made as to whether unauthorizedactivity occurred or whether an error or malfunction occurred.

At step 429, based on the determination, one or more instructions orcommands modifying functionality of the self-service kiosk 120 may begenerated. For instance, if an error or malfunction occurred, one ormore functions or features provided by the self-service kiosk 120 may bedisabled until the malfunction may be corrected. Accordingly, aninstruction or command to disable one or more functions may begenerated. In another example, if unauthorized activity occurred,functionality available to the user at the self-service kiosk 120 (e.g.,the user who may have executed the unauthorized activity) may bemodified (e.g., deposits only, withdrawals, balance transfers or thelike may be disabled). Various other example functionality modificationsmay be generated without departing from the invention.

With reference to FIG. 4F, at step 430, the commands or instructionsmodifying functionality of the self-service kiosk 120 may be transmittedfrom the unauthorized activity detection and control computing platform110 to the self-service kiosk 120. At step 431, the generated commandsor instructions may be received by the self-service kiosk 120 andexecuted. Executing the commands may include modifying the functionalityof the self-service kiosk 120 as outlined in the instructions orcommands.

At step 432, based on the analysis performed at step 427, one or moreinstructions modifying an account of the user may be generated. Forinstance, if unauthorized activity is determined, a command orinstruction locking the account associated with the user may begenerated. In another example, if an error or malfunction occurred, aninstruction or command to credit the account of the user in the amountthat was indicated as dispensed but was not dispensed because of theerror may be generated. Various other instructions or commands modifyingone or more aspects associated with an account of the user may begenerated without departing from the invention.

At step 433, a connection may be established between unauthorizedactivity detection and control computing platform 110 and internalcomputing system 125. For instance, a third wireless connection may beestablished between unauthorized activity detection and controlcomputing platform 110 and internal computing system 125. Uponestablishing the third wireless connection, a communication session maybe initiated between unauthorized activity detection and controlcomputing platform 110 and internal computing system 125.

At step 434, the generated one or more commands or instructionsmodifying an account may be transmitted from the unauthorized activitydetection and control computing platform 110 to the internal computingsystem 125. The instructions or commands may be transmitted during thecommunication session initiated upon establishing the third wirelessconnection.

With reference to FIG. 4G, at step 435, the generated one or morecommands or instructions to modify an account may be received by theinternal computing system 125 and executed. Executing the one or morecommands or instructions may include modifying one or more aspectsassociated with the account (e.g., modifying a balance, modifyingauthentication requirements, locking the account, or the like).

At step 436, one or more notifications may be generated. For instance, anotification indicating that unauthorized activity has occurred andadditional action should be taken may be generated and transmitted toone or more computing devices. In some examples, law enforcement may benotified of the unauthorized activity. In another example, anotification of an error and/or associated modifications to a useraccount may be generated. Various other notifications may be generatedwithout departing from the invention.

At step 437, a connection may be established between unauthorizedactivity detection and control computing platform 110 and remote usercomputing device 170. For instance, a fourth wireless connection may beestablished between unauthorized activity detection and controlcomputing platform 110 and remote user computing device 170. Uponestablishing the fourth wireless connection, a communication session maybe initiated between unauthorized activity detection and controlcomputing platform 110 and remote user computing device.

At step 438, the generated notification may be transmitted from theunauthorized activity detection and control computing platform 110 to,for instance, remote user computing device 170. For instance, if thegenerated notification includes information related to the user account,the notification may be transmitted to the remote user computing device170 of the user. The notification may be transmitted during thecommunication session initiated upon establishing the fourth wirelessconnection.

Although the example shown in FIG. 4G illustrates a notification beingsent to remote user computing device 170, in some examples, anotification may be transmitted to local user computing device 150associated with a user of the account in addition to or in lieu orsending this notification. In some examples, the device to which thenotification is transmitted may be based on whether unauthorizedactivity was identified or not.

At step 439, the generated notification may be received by the remoteuser computing device 170 and displayed on a display of the remote usercomputing device 170.

FIGS. 5A-5G depict another example illustrative event sequence fordynamically detecting unauthorized activity in accordance with one ormore aspects described herein. The events shown in the illustrativeevent sequence are merely one example sequence and additional events maybe added, or events may be omitted, without departing from theinvention.

Similar to some aspects discussed with respect to FIGS. 4A-4G, at step501, a request for access may be received by, for example, aself-service kiosk 120, such as an ATM, ATA or the like. In someexamples, the request for access may include detecting a presence of auser at the self-service kiosk 120 (e.g., based on detection of a signalassociated with a mobile device of the user, detecting motion of a uservia a motion sensor, or the like), and/or may include receiving, forexample, user input requesting the event, such as inserting a card intothe self-service kiosk 120. The request for access may prompt one ormore authentication processes to execute.

At step 502, authentication information may be received from the user.For instance, a user may input a password, personal identificationnumber (PIN), biometric data, or the like. The authenticationinformation may be provided via a user input device on the self-servicekiosk 120 and/or via a mobile device of the user, such as remote usercomputing device 170.

At step 503, a connection may be established between self-service kiosk120 and internal computing system 125. For instance, a first wirelessconnection may be established between internal computing system 125 andself-service kiosk 120. Upon establishing the first wireless connection,a communication session may be initiated between internal computingsystem 125 and self-service kiosk 120.

At step 504, the received authentication data may be transmitted fromthe self-service kiosk 120 to internal computing system 125 forverification. At step 505, the authentication data may be received byinternal computing system 125 and processed. For instance, processingthe authentication data may include comparing the receivedauthentication data to pre-stored authentication data associated with auser (e.g., based on a card inserted into self-service kiosk 120, basedon a mobile device detected, or the like).

With reference to FIG. 5B, at step 506, the internal computing system125 may generate authentication response data based on the processingperformed at step 505. For instance, if the authentication data receiveddoes not match pre-stored data, authentication response data denying therequested event or transaction may be generated. Alternatively, if thereceived authentication data matches the pre-stored data, authenticationresponse data authenticating the user may be generated.

At step 507, the authentication response data may be transmitted fromthe internal computing system 125 to the self-service kiosk 120. At step508, the authentication response data may be received by theself-service kiosk 120.

At step 509, if the authentication response data authenticates the user,functionality associated with the self-service kiosk 120 may beinitiated, activated or enabled. For instance, event or transactionprocessing functions may be initiated, activated or enabled based on theuser being authenticated.

At step 510, a request for an event or transaction may be received bythe self-service kiosk 120. For instance, user input may be received bythe self-service kiosk 120 requesting processing of one or more eventsor transactions. In some examples, the request for an event ortransaction may include a request to deposit funds to a user account viathe self-service kiosk 120.

At step 511, a deposit aperture or other device configured to receiveitems for deposit from a user may be opened or otherwise may be enabledto accept a deposit from the user. In some examples, user's may depositcurrency funds, checks, and the like. However, in some examples ofunauthorized activity, users may deposit items that are not valid fordeposit (e.g., invalid checks, invalid currency, objects not associatedwith currency or checks or the like).

With reference to FIG. 5C, at step 512, one or more items for depositmay be received. As discussed, items received for deposit may includevalid currency and/or checks, as well as items that are not valid fordeposit.

At step 513, the items received for deposit may be analyzed or evaluatedto determine whether they are valid items for deposit. For instance,metal detectors (e.g., the one or more sensing devices may include metaldetecting devices) may be used to determine whether the items includemetal or other materials not associated with valid items for deposit.Additionally or alternatively, one or more sensing devices may be usedto evaluate the items for the presence of a watermark expected on validitems, for threads embedded within valid items, for ink or coloringassociated with valid items, and the like.

Further, as items are received for deposit, they may be scanned tocapture (e.g., via optical character recognition) a unique identifier,such as a serial number, a denomination, and the like. Additionalinformation may also be capture and this data may be stored in adatabase, as discussed herein. In receiving an item for deposit, theserial number may be used to determine whether a previous entry in thedatabase was created for that bill. If so, data associated with the billmay be updated after confirming that details match previous details(e.g., that the denomination is the same). If, when comparing adenomination associated with a received bill to a denominationassociated with the previously scanned bill having that serial number orunique identifier, a discrepancy is identified, the bill may be flaggedas potentially unauthorized and might not be considered valid fordeposit.

Based on the evaluation of the items for deposit, if the deposited itemsare valid, the deposit may be processed and one or more accounts may bemodified, updated, credited or the like.

At step 514, based on the evaluation of the items for deposit, if one ormore items received are not valid for deposit, an error may be detectedin the deposit. In detecting the error, additional informationassociated with the deposited items may be captured, such as type oferror detected, or the like.

At step 515, a connection may be established between self-service kiosk120 and unauthorized activity detection and control computing platform110. For instance, a second wireless connection may be establishedbetween unauthorized activity detection and control computing platform110 and self-service kiosk 120. Upon establishing the second wirelessconnection, a communication session may be initiated betweenunauthorized activity detection and control computing platform 110 andself-service kiosk 120.

At step 516, the error detection may be transmitted from theself-service kiosk 120 to the unauthorized activity detection andcontrol computing platform 110. In some examples, any additionalinformation associated with the detected error may also be transmitted.In some arrangements, the error detection may be transmitted during thecommunication session initiated upon establishing the second wirelessconnection.

At step 517, the error detection may be received by the unauthorizedactivity detection and control computing platform 110 and one or moreinstructions or commands to capture additional data may be generated.For instance, based on the error detection, which may include additionaldetails about a type of error, or the like, one or more instructions orcommands to capture additional data may be generated by the unauthorizedactivity detection and control computing platform 110. In some examples,the instructions for capturing additional data may include aninstruction to transmit, from one or more image capture and/or sensingdevices at the self-service kiosk 120, data, such as image data, videodata, and the like. Additionally or alternatively, the one or moreinstructions or commands may include an instruction or command toactivate one or more additional image capture and/or sensing devices andtransmit the captured data from additional image capture/sensing deviceof the self-service kiosk 120 to the unauthorized activity detection andcontrol computing platform 110. In some arrangements, this may includeactivating recording and/or image capture associated with one or moredevices on an exterior of the self-service kiosk 120 and/or one or moredevices on an interior of the self-service kiosk.

With reference to FIG. 5D, at step 518, the commands or instructions tocapture additional data may be transmitted from the unauthorizedactivity detection and control computing platform 110 to theself-service kiosk 120. In some examples, the generated instructions orcommands may be transmitted during the communication session initiatedupon establishing the second wireless connection. In other examples,another wireless connection may be established and another communicationsession may be initiated.

At step 519, the commands or instructions to capture additionalinformation may be received by the self-service kiosk 120 and executed.For instance, at step 420, an instruction or command to activate one ormore additional image capture and/or sensing devices may be executed.For instance, one or more additional image capture and/or sensingdevices located on an interior or exterior of the self-service kiosk 120may be activated. In some examples, activating devices on an exterior ofthe self-service kiosk 120 may aid in capturing images or behavior ofthe user to determine whether unauthorized activity has occurred or isoccurring, to aid in identifying the user executing the unauthorizedactivity (e.g., in cases where the user may be authenticated usingcredentials obtained through unauthorized activity, or the like), toidentify items inserted into a deposit slot, or the like. In someexamples, image capture and/or sensing devices on an interior of theself-service kiosk 120 may be activated in order to determine whether ajam occurred in one or more systems of the self-service kiosk (e.g., intransfer from the storage area to the dispensing device), what invaliditems or types of invalid items were inserted into the self-servicekiosk 120, or the like. In some examples, image capture devices mayinclude one or more of still and/or video images. Sensing devices mayinclude one or more of pressure sensing devices, motion detectingdevices, metal detecting devices, and the like.

At step 521, in another example, at step 424, an instruction or commandto retrieve captured images may be executed. For instance, self-servicekiosk 120 may have one or more image capture devices that maycontinuously capture image data, may automatically activate upondetecting a user, or the like. Images captured by these devices may beretrieved based on the instruction executed (e.g., based on date andtime requested, for a preceding time period (e.g., last hour, last 24hours, or the like).

Although this example includes execution of instructions to retrieveimages and activate additional devices, in some examples, more or fewerinstructions or commands may be generated or executed. Further, in someexamples, machine learning may be used to identify particularinstructions or commands to generate and execute. For instance, based ondetails of the error received, machine learning may be used to identifypatterns in data in order to identify particular instructions forgeneration or execution in order to efficiently obtain information todetect unauthorized activity.

At step 522, additional information response data may be generated. Forinstance, results of any instructions or commands executed by theself-service kiosk 120 may be used to generate additional informationresponse data. Accordingly, the additional information response data mayinclude retrieved images, images captured by newly activated devices,and the like.

With reference to FIG. 5E, at step 523, the additional informationresponse data may be transmitted from the self-service kiosk 120 to theunauthorized activity detection and control computing platform 110. Insome examples, the additional information response data may betransmitted during the communications session initiated uponestablishing the second wireless connection. In other examples, anotherwireless connection may be established and another communication sessionmay be initiated.

At step 524, the additional information response data may be received bythe unauthorized activity detection and control computing platform 110and analyzed. For instance, data from one or more image capture devicesand/or sensing devices may be analyzed to confirm the items for depositwere not valid items for deposit and/or evaluate or identify the type ofitems submitted for deposit. Additionally or alternatively, image datamay be analyzed to determine whether the user deliberately inserted theitems or the items were deposited in error (e.g., positioned betweenvalid items for deposit, or the like).

At step 525, based on the analysis of the additional informationresponse data, the unauthorized activity detection and control computingplatform 110 may determine whether unauthorized activity occurred. Forinstance, based on the analysis of image data, sensing device data, andthe like, a determination may be made as to whether unauthorizedactivity occurred or whether an error or malfunction occurred.

At step 526, based on the determination, one or more instructions orcommands modifying functionality of the self-service kiosk 120 may begenerated. For instance, if an error or malfunction occurred, one ormore functions or features provided by the self-service kiosk 120 may bedisabled until the malfunction may be corrected. Accordingly, aninstruction or command to disable one or more functions may begenerated. In another example, if unauthorized activity occurred,functionality available to the user at the self-service kiosk 120 (e.g.,the user who may have executed the unauthorized activity) may bemodified (e.g., deposits only, withdrawals, balance transfers or thelike may be disabled). Various other example functionality modificationsmay be generated without departing from the invention.

At step 527, the commands or instructions modifying functionality of theself-service kiosk 120 may be transmitted from the unauthorized activitydetection and control computing platform 110 to the self-service kiosk120. At step 528, the generated commands or instructions may be receivedby the self-service kiosk 120 and executed. Executing the commands mayinclude modifying the functionality of the self-service kiosk 120 asoutlined in the instructions or commands.

With reference to FIG. 5F, at step 529, based on the analysis performedat step 524 and determination at step 525, one or more instructionsmodifying an account of the user may be generated. For instance, ifunauthorized activity is determined, a command or instruction lockingthe account associated with the user may be generated. Various otherinstructions or commands modifying one or more aspects associated withan account of the user may be generated without departing from theinvention.

At step 530, a connection may be established between unauthorizedactivity detection and control computing platform 110 and internalcomputing system 125. For instance, a third wireless connection may beestablished between unauthorized activity detection and controlcomputing platform 110 and internal computing system 125. Uponestablishing the third wireless connection, a communication session maybe initiated between unauthorized activity detection and controlcomputing platform 110 and internal computing system 125.

At step 531, the generated one or more commands or instructionsmodifying an account may be transmitted from the unauthorized activitydetection and control computing platform 110 to the internal computingsystem 125. The instructions or commands may be transmitted during thecommunication session initiated upon establishing the third wirelessconnection.

At step 532, the generated one or more commands or instructions tomodify an account may be received by the internal computing system 125and executed. Executing the one or more commands or instructions mayinclude modifying one or more aspects associated with the account (e.g.,modifying a balance, modifying authentication requirements, locking theaccount, or the like).

At step 533, one or more notifications may be generated. For instance, anotification indicating that unauthorized activity has occurred andadditional action should be taken may be generated and transmitted toone or more computing devices. In some examples, law enforcement may benotified of the unauthorized activity. In another example, anotification of an error and/or associated modifications to a useraccount may be generated. Various other notifications may be generatedwithout departing from the invention.

With reference to FIG. 5G, at step 534, a connection may be establishedbetween unauthorized activity detection and control computing platform110 and local user computing device 150. For instance, a fourth wirelessconnection may be established between unauthorized activity detectionand control computing platform 110 and local user computing device 150.Upon establishing the fourth wireless connection, a communicationsession may be initiated between unauthorized activity detection andcontrol computing platform 110 and local user computing device 150.

At step 535, the generated notification may be transmitted from theunauthorized activity detection and control computing platform 110 to,for instance, local user computing device 150. For instance, if thegenerated notification includes information related to unauthorizedactivity, the notification may be transmitted to the local usercomputing device 150 which may be a computing device associated with auser at the enterprise implementing the unauthorized activity detectionand control computing platform 110, such as a banking associate, systemadministrator, or the like. The notification may be transmitted duringthe communication session initiated upon establishing the fourthwireless connection.

Although the example shown in FIG. 5G illustrates a notification beingsent to local user computing device 150, in some examples, anotification may be transmitted to remote user computing device 170associated with a user of the account in addition to or in lieu orsending this notification. In some examples, the device to which thenotification is transmitted may be based on whether unauthorizedactivity was identified or not.

At step 536, the generated notification may be received by the localuser computing device 150 and displayed on a display of the local usercomputing device 150.

FIG. 6 is a flow chart illustrating one example method of implementingdynamic unauthorized activity detection and control functions accordingto one or more aspects described herein. The processes illustrated inFIG. 6 are merely some example processes and functions. The steps shownmay be performed in the order shown, in a different order, more stepsmay be added, or one or more steps may be omitted, without departingfrom the invention. In some examples, one or more steps may be performedsimultaneously with other steps shown and described.

At step 600, request for funds may be received by, for instance, aself-service kiosk, such as an ATM, ATA, or the like. The request forfunds may include a request for a particular amount of currency.

At step 602, one or more currency bills for dispensing may beidentified. For instance, a first plurality of currency bills may bestored in a storage area of the self-service kiosk 120. Upon receivingthe request for funds, a second plurality of bills (e.g., a portion orfewer than all of the bills in the storage area of the self-servicekiosk 120) may be identified for dispensing. The second plurality ofbills may have denominations corresponding to the requested amount.

At step 604, currency bill data associated with each currency bill inthe second plurality of currency bills may be captured. For instance,each currency bill in the second plurality of currency bills may bescanned (e.g., via a scanning device of the self-service kiosk) toidentify a unique identifier associated with each bill (e.g., a serialnumber) and/or a denomination of each currency bill. In some examples,additional information, such as location, time, date, or the like, mayalso be captured. The currency bills of the second plurality of currencybills may be flagged as being dispensed.

At step 606, the captured bill data may be stored. For instance, adatabase storing bill identification data may be updated and/or modifiedto include current information related to each currency bill and theindication that the bills are being dispensed.

At step 608, the second plurality of bill may be transferred fordispensing. For instance, the second plurality of bills may betransferred from the storage area of the self-service kiosk 120 to adispensing device of the self-service kiosk 120.

At step 610, a notification of error may be received. For instance, theself-service kiosk 120 may receive a notification that an error ormalfunction occurred in dispensing the second plurality of currencybills. In some examples, the notification of error may be received froma user (e.g., via user input into the self-service kiosk 120 or othercomputing device).

At step 612, an instruction to scan all currency bills within theself-service kiosk 120 may be executed. For instance, in order todetermine whether the second plurality of currency bills were actuallydispensed or are, for example, causing a jam in the self-service kiosk120, an instruction to scan all currency bills within the self-servicekiosk 120 may be executed. The scan may be performed by scanning deviceof the self-service kiosk and may include capturing the uniqueidentifier associated with each bill. As each unique identifier iscaptured by the scanning device, it may be compared to the uniqueidentifier associated with each currency bill of the second plurality ofcurrency bills. The scan may continue until all currency bills of thesecond plurality of currency bills are identified during the scan (e.g.,each unique identifier is detected during the scan) or until all billshave been scanned.

At step 614, a determination may be made as to whether the currencybills of the second plurality of bills are still present within theself-service kiosk 120. For instance, if the unique identifierassociated with the currency bills of the second plurality of currencybills are detected, an error or malfunction has occurred and the billswere not properly dispensed. If they are not detected, unauthorizedactivity (e.g., a report that the user did not receive the funds when heor she did) may be occurring.

If, at step 614, the second plurality of currency bills is present, aninstruction to modify the functionality of the self-service kiosk and/orcredit an account of a user may be executed at step 616. For instance,if the bills did not dispense properly, the functionality of theself-service kiosk may be modified to prevent further withdrawals untilthe error or malfunction can be evaluated or fixed. Additionally oralternatively, the user account may be credited in the amount that wasindicated as dispensed but was not actually dispensed.

If, at step 614, the second plurality of currency bills is not present,unauthorized activity may be occurring an instruction to lock an accountof a user may be executed at step 618. Locking the account of the usermay include preventing access to the account, preventing deposits orwithdrawals to the account, generating a transmitting a notification tothe user, and the like.

FIG. 7 is a flow chart illustrating one example method of implementingdynamic unauthorized activity detection and control functions accordingto one or more aspects described herein. The processes illustrated inFIG. 7 are merely some example processes and functions. The steps shownmay be performed in the order shown, in a different order, more stepsmay be added, or one or more steps may be omitted, without departingfrom the invention. In some examples, one or more steps may be performedsimultaneously with other steps shown and described.

At step 700, request to make a deposit may be received by, for instance,a self-service kiosk, such as an ATM, ATA, or the like.

At step 702, responsive to receiving the request for deposit, depositfunctionality of the self-service kiosk 120 may be enabled. Forinstance, one or more functions associated with receiving a deposit maybe activated, initiated or enabled.

At step 704, one or more items for deposit may be received. In someexamples, the one or more items for deposit may be received in oneprocess (e.g., all items for deposit inserted into a deposit device atone time). In other examples, each item may be received individually.

At step 706, the one or more items for deposit may be evaluated todetermine whether they include valid items for deposit. For instance,each item submitted for deposit may be evaluated to determine whether itincludes metal or other material not associated with valid items fordeposit. In another example, each item for deposit may be evaluated todetermine whether it includes an expected watermark, ink color, embeddedthreat, or the like. Various other aspects of the items may be evaluatedto determine whether they are valid items for deposit without departingfrom the invention.

At step 708, a determination may be made, based on the evaluation, ofwhether the one or more items for deposit are valid items. If so, thedeposit may be processed at step 710 and a user account may be creditedwith an amount of the deposit.

If, at step 708, the one or more items for deposit include at least oneitem not valid for deposit, at step 712, an instruction to activate oneor more image capture devices may be executed. For instance, aninstruction to activate one or more image capture devices on an interiorof the self-service kiosk 120 or an exterior of the self-service kiosk120 may be executed. Additional information may be captured by the imagecapture devices and may be used to identify one or more mitigatingactions, confirm unauthorized activity, or the like.

At step 714, an instruction to lock an account of the user associatedwith the request for deposit may be executed. Locking the account of theuser may include preventing access to the account until the unauthorizedactivity is further evaluated.

FIG. 8 illustrates one example notification that may be generated andtransmitted according to one or more aspects described herein. Thenotification in FIG. 8 may include a user interface 800 that may betransmitted to, for instance, a user computing device. The interface 800includes an indication that an error or malfunction occurred and thatthe user's account may be credited as needed.

FIG. 9 illustrates one example notification that may be generated andtransmitted according to one or more aspects described herein. Thenotification in FIG. 9 may include a user interface 900 that may betransmitted to, for example, a local user computing device associatedwith the enterprise organization associated with the self-service kiosk.The interface 900 may include an indication that unauthorized activitywas detected, a location of the activity and one or more mitigatingactions that were executed.

The example notifications in FIGS. 8 and 9 are merely some examplenotifications and other notifications, having alternative or additionalinformation, may be generated without departing from the invention. Inorder to track currency bills and facilitate analysis of potentialunauthorized activity, a catalogue of currency may be established, asdiscussed herein. The catalogue may include a database storing a uniqueidentifier associated with each bill captured by the system, as well asadditional details such as denomination, location, and the like.Accordingly, a record of circulation of each bill captured may bemaintained. In some examples, the catalogue may enable an entity, suchas a financial institution, retail establishment, or the like, to knowexactly which bills are held by the entity (e.g., based on uniqueidentifier) at any given time.

As discussed herein, aspects described relate to detection ofunauthorized activity and execution of one or more mitigating actions inresponse to the detected unauthorized activity. As discussed herein,various forms of unauthorized activity may be executed at a self-servicekiosk. For instance, a user may report that he or she did not receivefunds requested for withdrawal or did not receive the full amount offunds, users may attempt to deposit items that are not valid currency,or the like. Accordingly, arrangements described herein modifyfunctionality of self-service kiosks to enable evaluation of currencyand other items to quickly detect unauthorized activity and efficientlyexecute mitigating actions.

For instance, a self-service kiosk may have a storage area that includesa plurality of currency bills. Identifying information associated witheach bill in the storage area may be captured (e.g., as bills arereceived, as bills are loaded into the storage area, or the like). Asrequests for withdrawals are received, identifying informationassociated with bills being dispensed may be captured and an indicationthat the bills are being dispensed may be stored. If an report of afailure of funds to dispense or an inaccurate amount of funds dispensingis received, the system may retrieve data associated with the dispensedfunds for that transaction and may scan bills within the self-servicekiosk to determine whether the bills are present. Additionally oralternatively, image data may be used to determine whether the billswere dispensed (e.g., image data from an interior of the self-servicekiosk showing the dispensing device, image data from an exterior of theself-service kiosk showing the dispensed bills, and the like).

As discussed, currency may be scanned at a plurality of differententities or currency bill scan data may be received from a plurality ofdifferent channels (e.g., self-service kiosk, banking associate, and thelike). Accordingly, as currency bills are received or dispensed by anyof the plurality of entities, data associated with movement of each billand data identifying each bill may be captured and stored. Accordingly,if a particular bill is detected as part of one or more unauthorizedactivities, the route of that bill in circulation may be retrieved fromthe database. In some examples, machine learning may be used to detectpatterns in the route of one or more bills to detect or predictunauthorized activity. For instance, machine learning may be used toidentify other bills having similar patterns or routes of circulation tobills identified as used in unauthorized activity, which may indicateadditional unauthorized activity. Using machine learning may allow thesystem to process vast amounts of data quickly in order to predicting ordetect, early in an occurrence of unauthorized activity, the activityand execute one or more mitigating actions.

In some examples, if unauthorized activity is detected but currency hasalready been dispensed, the bills dispensed (e.g., via a self-servicekiosk, banking associate, retail establishment, or the like) may beflagged and, upon being scanned (e.g., when used by an unauthorizedactor) the transaction for which the bills are being used may beidentified as potential unauthorized activity, cancelled, investigated,law enforcement may be called, or the like.

For instance, if an unauthorized actor enters a banking location andwithdraws funds from another person's account, the funds may bedispensed to the unauthorized actor. The identifier features of eachbill dispensed may be captured and stored. Accordingly, when theauthorized user detects the unauthorized activity and reports it, theidentifying features of the dispensed bills may be retrieved andflagged. If those bills should be received by another entity (e.g.,deposited at another financial institution, used to make a purchase at aretail establishment), the bills may be scanned upon receipt (e.g., toupdate the currency catalogue) and a notification or warning that thebills are associated with unauthorized activity may be transmitted ordisplayed. Accordingly, any further impact of the unauthorized activitymay be reduced or eliminated.

In some examples, as potential issues are detected, one or more alerts(e.g., automated alerts) may be generated and transmitted. For instance,as discussed herein, when potential unauthorized activity occurs at aself-service kiosk, notifications may be generated and transmitted to auser, a system administrator, or the like. Additionally oralternatively, if one or more currency bills are associated withunauthorized activity, an automated alert may be transmitted to one ormore other entities (e.g., other financial institutions, retailestablishments, or the like) indicating the occurrence of potentialunauthorized activity. In some examples, an automated alert may betransmitted to law enforcement.

As discussed herein, data from one or more image capture devices,sensing devices, and the like, may be used to analyze the potentialunauthorized activity. In some examples, image and/or sensor data fromone or more devices that may continuously monitor the self-service kioskor may be activated upon initiation of a transaction, presence of auser, or the like may be retrieved and used. Additionally oralternatively, upon detecting potential unauthorized activity, one ormore additional image capture devices, sensing devices, or the like, maybe activated and data received and analyzed from the additional devices.

As discussed, unauthorized activity associated with deposits at aself-service kiosk may also be detected. As described, unauthorizedactors may insert items for deposit that may not be valid items. In someexamples, household items (e.g., plastic or metal spatula, or the like),non-currency paper, and the like, may be inserted for deposit in aneffort to execute unauthorized activity. However, by evaluating itemsfor deposit, as discussed herein, the potential unauthorized activitymay be detected before the deposit is processed (e.g., before a balanceof an account of the user is modified) in order to mitigate impact ofthe unauthorized activity.

In some examples, metal detecting devices may be used to detect objectsthat are not valid for deposit. In another example, as discussed above,items for deposit may be scanned and the unique identifier anddenomination captured. This data may be compared to previous stored datafor the bill (e.g., if the bill was previously scanned and data storedin the database). If a discrepancy is detected, the bill may be flaggedas potential unauthorized activity.

For instance, an unauthorized actor may modify a bill having adenomination of $5 to appear to be a bill having a denomination of $20.When the modified bill is scanned after being deposited, the uniqueidentifier and denomination (e.g., $20 on the newly received bill) maybe compared to a previous entry in the database which may reflect thatthe unique identifier is associated with a bill having a denomination of$5. Accordingly, the bill may be flagged as potential unauthorizedactivity prior to processing the deposit.

As discussed, when a plurality of items is submitted for deposit, eachitem may be evaluated to determine whether it is a valid item fordeposit. For instance, if a plurality of items are submitted fordeposit, some items may be valid for deposit while others are not.Accordingly, each item may be evaluated individually to determinevalidity for deposit.

Further, a variety of mitigating actions may be executed based ondetection of unauthorized activity. For instance, limiting or disablingfunctionality of a self-service kiosk until further investigation iscompleted, locking an account of a user, limiting functionality of theself-service kiosk for the particular user, and the like. In someexamples, the mitigating actions executed may depend on a time of day atwhich the unauthorized activity occurred. For instance, if duringbusiness hours, the self-service kiosk may be disabled and a bankingassociate may service the self-service kiosk. Alternatively, if theunauthorized activity occurs outside of normal business hours, somefunctionality of the self-service kiosk may be maintained.

In some examples, upon detecting an issue associated with itemsdeposited, additional information associate with the deposit may becaptured or recorded to aid in investigating the occurrence. Forinstance, additional images, data, and the like, associated with thetransaction or for a predetermined time period surrounding the issue maybe captured and used for further investigation into the issue.

Accordingly, by enhancing functionality of self-service kiosks, and bycreating a catalogue of currency in circulation, unauthorized activitymay be quickly detected and mitigating actions efficiently implemented.

FIG. 10 depicts an illustrative operating environment in which variousaspects of the present disclosure may be implemented in accordance withone or more example embodiments. Referring to FIG. 10, computing systemenvironment 1000 may be used according to one or more illustrativeembodiments. Computing system environment 1000 is only one example of asuitable computing environment and is not intended to suggest anylimitation as to the scope of use or functionality contained in thedisclosure. Computing system environment 1000 should not be interpretedas having any dependency or requirement relating to any one orcombination of components shown in illustrative computing systemenvironment 1000.

Computing system environment 1000 may include unauthorized activitydetection and control computing device 1001 having processor 1003 forcontrolling overall operation of unauthorized activity detection andcontrol computing device 1001 and its associated components, includingRandom Access Memory (RAM) 1005, Read-Only Memory (ROM) 1007,communications module 1009, and memory 1015. Unauthorized activitydetection and control computing device 1001 may include a variety ofcomputer readable media. Computer readable media may be any availablemedia that may be accessed by unauthorized activity detection andcontrol computing device 1001, may be non-transitory, and may includevolatile and nonvolatile, removable and non-removable media implementedin any method or technology for storage of information such ascomputer-readable instructions, object code, data structures, programmodules, or other data. Examples of computer readable media may includeRandom Access Memory (RAM), Read Only Memory (ROM), ElectronicallyErasable Programmable Read-Only Memory (EEPROM), flash memory or othermemory technology, Compact Disk Read-Only Memory (CD-ROM), DigitalVersatile Disk (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium that can be used to store the desired informationand that can be accessed by unauthorized activity detection and controlcomputing device 1001.

Although not required, various aspects described herein may be embodiedas a method, a data transfer system, or as a computer-readable mediumstoring computer-executable instructions. For example, acomputer-readable medium storing instructions to cause a processor toperform steps of a method in accordance with aspects of the disclosedembodiments is contemplated. For example, aspects of method stepsdisclosed herein may be executed on a processor on unauthorized activitydetection and control computing device 1001. Such a processor mayexecute computer-executable instructions stored on a computer-readablemedium.

Software may be stored within memory 1015 and/or storage to provideinstructions to processor 1003 for enabling unauthorized activitydetection and control computing device 1001 to perform various functionsas discussed herein. For example, memory 1015 may store software used byunauthorized activity detection and control computing device 1001, suchas operating system 1017, application programs 1019, and associateddatabase 1021. Also, some or all of the computer executable instructionsfor unauthorized activity detection and control computing device 1001may be embodied in hardware or firmware. Although not shown, RAM 1005may include one or more applications representing the application datastored in RAM 1005 while unauthorized activity detection and controlcomputing device 1001 is on and corresponding software applications(e.g., software tasks) are running on unauthorized activity detectionand control computing device 1001.

Communications module 1009 may include a microphone, keypad, touchscreen, and/or stylus through which a user of unauthorized activitydetection and control computing device 1001 may provide input, and mayalso include one or more of a speaker for providing audio output and avideo display device for providing textual, audiovisual and/or graphicaloutput. Computing system environment 1000 may also include opticalscanners (not shown in FIG. 10).

Unauthorized activity detection and control computing device 1001 mayoperate in a networked environment supporting connections to one or moreremote computing devices, such as computing devices 1041 and 1051.Computing devices 1041 and 1051 may be personal computing devices orservers that include any or all of the elements described above relativeto unauthorized activity detection and control computing device 1001.

The network connections depicted in FIG. 10 may include Local AreaNetwork (LAN) 1025 and Wide Area Network (WAN) 1029, as well as othernetworks. When used in a LAN networking environment, unauthorizedactivity detection and control computing device 1001 may be connected toLAN 1025 through a network interface or adapter in communications module1009. When used in a WAN networking environment, unauthorized activitydetection and control computing device 1001 may include a modem incommunications module 1009 or other means for establishingcommunications over WAN 1029, such as network 1031 (e.g., publicnetwork, private network, Internet, intranet, and the like). The networkconnections shown are illustrative and other means of establishing acommunications link between the computing devices may be used. Variouswell-known protocols such as Transmission Control Protocol/InternetProtocol (TCP/IP), Ethernet, File Transfer Protocol (FTP), HypertextTransfer Protocol (HTTP) and the like may be used, and the system can beoperated in a client-server configuration to permit a user to retrieveweb pages from a web-based server.

FIG. 11 depicts an illustrative block diagram of workstations andservers that may be used to implement the processes and functions ofcertain aspects of the present disclosure in accordance with one or moreexample embodiments. Referring to FIG. 11, illustrative system 1100 maybe used for implementing example embodiments according to the presentdisclosure. As illustrated, system 1100 may include one or moreworkstation computers 1101. Workstation 1101 may be, for example, adesktop computer, a smartphone, a wireless device, a tablet computer, alaptop computer, and the like, configured to perform various processesdescribed herein. Workstations 1101 may be local or remote, and may beconnected by one of communications links 1102 to computer network 1103that is linked via communications link 1105 to unauthorized activitydetection and control server 1104. In system 1100, unauthorized activitydetection and control server 1104 may be a server, processor, computer,or data processing device, or combination of the same, configured toperform the functions and/or processes described herein. Server 1104 maybe used to receive requests for funds or deposits, identify bills fordispensing, scan bills, evaluate items for deposit, determine whetherunauthorized activity has occurred, generate and execute one or moreinstructions associated with mitigating actions, and the like.

Computer network 1103 may be any suitable computer network including theInternet, an intranet, a Wide-Area Network (WAN), a Local-Area Network(LAN), a wireless network, a Digital Subscriber Line (DSL) network, aframe relay network, an Asynchronous Transfer Mode network, a VirtualPrivate Network (VPN), or any combination of any of the same.Communications links 1102 and 1105 may be communications links suitablefor communicating between workstations 1101 and unauthorized activitydetection and control server 1104, such as network links, dial-up links,wireless links, hard-wired links, as well as network types developed inthe future, and the like.

One or more aspects of the disclosure may be embodied in computer-usabledata or computer-executable instructions, such as in one or more programmodules, executed by one or more computers or other devices to performthe operations described herein. Generally, program modules includeroutines, programs, objects, components, data structures, and the likethat perform particular tasks or implement particular abstract datatypes when executed by one or more processors in a computer or otherdata processing device. The computer-executable instructions may bestored as computer-readable instructions on a computer-readable mediumsuch as a hard disk, optical disk, removable storage media, solid-statememory, RAM, and the like. The functionality of the program modules maybe combined or distributed as desired in various embodiments. Inaddition, the functionality may be embodied in whole or in part infirmware or hardware equivalents, such as integrated circuits,Application-Specific Integrated Circuits (ASICs), Field ProgrammableGate Arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects of the disclosure, andsuch data structures are contemplated to be within the scope of computerexecutable instructions and computer-usable data described herein.

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, an entirely firmware embodiment, or an embodiment combiningsoftware, hardware, and firmware aspects in any combination. Inaddition, various signals representing data or events as describedherein may be transferred between a source and a destination in the formof light or electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, or wireless transmissionmedia (e.g., air or space). In general, the one or morecomputer-readable media may be and/or include one or more non-transitorycomputer-readable media.

As described herein, the various methods and acts may be operativeacross one or more computing servers and one or more networks. Thefunctionality may be distributed in any manner, or may be located in asingle computing device (e.g., a server, a client computer, and thelike). For example, in alternative embodiments, one or more of thecomputing platforms discussed above may be combined into a singlecomputing platform, and the various functions of each computing platformmay be performed by the single computing platform. In such arrangements,any and/or all of the above-discussed communications between computingplatforms may correspond to data being accessed, moved, modified,updated, and/or otherwise used by the single computing platform.Additionally or alternatively, one or more of the computing platformsdiscussed above may be implemented in one or more virtual machines thatare provided by one or more physical computing devices. In sucharrangements, the various functions of each computing platform may beperformed by the one or more virtual machines, and any and/or all of theabove-discussed communications between computing platforms maycorrespond to data being accessed, moved, modified, updated, and/orotherwise used by the one or more virtual machines.

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one or more of the steps depicted in theillustrative figures may be performed in other than the recited order,one or more steps described with respect to one figure may be used incombination with one or more steps described with respect to anotherfigure, and/or one or more depicted steps may be optional in accordancewith aspects of the disclosure.

What is claimed is:
 1. A system, comprising: a self-service kioskincluding at least one computing device having at least one processor, acommunication interface communicatively coupled to the at least oneprocessor, and a memory storing computer-readable instructions that,when executed by the at least one processor, cause at least onecomputing device of the system to: select, from a first plurality ofcurrency bills in a storage area of the self-service kiosk, a secondplurality of currency bills corresponding to an amount of currency;transfer the second plurality of currency bills from the storage area toa dispensing device of the self-service kiosk; identify, by a scanningdevice of the self-service kiosk, a unique identifier associated witheach currency bill of the second plurality of currency bills; store, ina bill identification database, the identified unique identifierassociated with each currency bill of the second plurality of currencybills and an indication that the second plurality of currency bills arebeing dispensed; receive an indication of an error by the self-servicekiosk; responsive to receiving the indication of the error, scan, by thescanning device of the self-service kiosk, all currency bills within theself-service kiosk to identify the unique identifier associated witheach currency bill within the self-service kiosk; determine, based onthe identified unique identifier associated with each currency billwithin the self-service kiosk, whether the currency bills of the secondplurality of currency bills are present within the self-service kiosk;responsive to determining the currency bills of the second plurality ofcurrency bills are present within the self-service kiosk, executing aninstruction to credit an account of a user; and responsive todetermining the currency bills of the second plurality of currency billsare not present in the self-service kiosk, flagging the indication ofthe error as unauthorized activity and executing an instruction to lockthe account of the user.
 2. The system of claim 1, further includinginstructions that, when executed, cause the at least one computingdevice to: responsive to receiving the indication of the error, activateone or more image capture devices of the self-service kiosk.
 3. Thesystem of claim 2, further including instructions that, when executed,cause the at least one computing device to: receive, from the one ormore image capture devices, image data; and analyze the image data,wherein determining whether the currency bills of the second pluralityof currency bills are present within the self-service kiosk is furtherbased on the analyzed image data.
 4. The system of claim 1, furtherincluding instructions that, when executed, cause the at least onecomputing device to: identify, by the scanning device of theself-service kiosk and using optical character recognition, adenomination of each currency bill of the second plurality of currencybills, and wherein storing, in the bill identification database, theidentified unique identifier associated with each currency bill of thesecond plurality of currency bills and an indication that the secondplurality of currency bills are being dispensed further includes storingthe identified denomination.
 5. The system of claim 1, further includinginstructions that, when executed, cause the at least one computingdevice to: scan, by the scanning device of the self-service kiosk, allcurrency bills in the storage area of the self-service kiosk to identifya unique identifier associated with each currency bill and adenomination of each currency bill; and store, by the billidentification database, the unique identifier and denomination of allcurrency bills in the storage area of the self-service kiosk.
 6. Thesystem of claim 5, further including instructions that, when executed,cause the at least one computing device to: capture additionalinformation associated with a current location, date and time for eachcurrency bill in the storage area of the self-service kiosk; and storingthe captured additional information in the bill identification database.7. The system of claim 1, wherein the indication of an error includes anindication that the second plurality of currency bills did not dispense.8. A method, comprising: selecting, by a computing device of aself-service kiosk, the computing device having a memory and at leastone processor, and from a first plurality of currency bills in a storagearea of the self-service kiosk, a second plurality of currency billscorresponding to an amount of currency; transferring, by the computingdevice, the second plurality of currency bills from the storage area toa dispensing device of the self-service kiosk; identifying, by thecomputing device and via a scanning device of the self-service kiosk, aunique identifier associated with each currency bill of the secondplurality of currency bills; storing, by the computing device and in abill identification database, the identified unique identifierassociated with each currency bill of the second plurality of currencybills and an indication that the second plurality of currency bills arebeing dispensed; receiving, by the computing device, an indication of anerror by the self-service kiosk; responsive to receiving the indicationof the error, scanning, by the computing device and via the scanningdevice of the self-service kiosk, all currency bills within theself-service kiosk to identify the unique identifier associated witheach currency bill within the self-service kiosk; determining, by thecomputing device and based on the identified unique identifierassociated with each currency bill within the self-service kiosk,whether the currency bills of the second plurality of currency bills arepresent within the self-service kiosk; if it is determined that thecurrency bills of the second plurality of currency bills are presentwithin the self-service kiosk, executing an instruction to credit anaccount of a user; and if it is determined that the currency bills ofthe second plurality of currency bills are not present in theself-service kiosk, flagging the indication of the error as unauthorizedactivity and executing an instruction to lock the account of the user.9. The method of claim 8, further including: responsive to receiving theindication of the error, activating, by the computing device, one ormore image capture devices of the self-service kiosk.
 10. The method ofclaim 9, further including: receiving, by the computing device and fromthe one or more image capture devices, image data; and analyzing, by thecomputing device, the image data, wherein determining whether thecurrency bills of the second plurality of currency bills are presentwithin the self-service kiosk is further based on the analyzed imagedata.
 11. The method of claim 8, further including: identifying, by thecomputing device and via the scanning device of the self-service kioskand using optical character recognition, a denomination of each currencybill of the second plurality of currency bills, and wherein storing, inthe bill identification database, the identified unique identifierassociated with each currency bill of the second plurality of currencybills and an indication that the second plurality of currency bills arebeing dispensed further includes storing the identified denomination.12. The method of claim 8, further including: scanning, by the computingdevice and via the scanning device of the self-service kiosk, allcurrency bills in the storage area of the self-service kiosk to identifya unique identifier associated with each currency bill and adenomination of each currency bill; and storing, by the computing deviceand in the bill identification database, the unique identifier anddenomination of all currency bills in the storage area of theself-service kiosk.
 13. The method of claim 12, further including:capturing, by the computing device, additional information associatedwith a current location, date and time for each currency bill in thestorage area of the self-service kiosk; and storing, by the computingdevice, the captured additional information in the bill identificationdatabase.
 14. The method of claim 8, wherein the indication of an errorincludes an indication that the second plurality of currency bills didnot dispense.
 15. One or more non-transitory computer-readable mediastoring instructions that, when executed by a computing devicecomprising at least one processor, memory, and a communicationinterface, cause the computing device to: select, from a first pluralityof currency bills in a storage area of a self-service kiosk, a secondplurality of currency bills corresponding to an amount of currency;transfer the second plurality of currency bills from the storage area toa dispensing device of the self-service kiosk; identify, by a scanningdevice of the self-service kiosk, a unique identifier associated witheach currency bill of the second plurality of currency bills; store, ina bill identification database, the identified unique identifierassociated with each currency bill of the second plurality of currencybills and an indication that the second plurality of currency bills arebeing dispensed; receive an indication of an error by the self-servicekiosk; responsive to receiving the indication of the error, scan, by thescanning device of the self-service kiosk, all currency bills within theself-service kiosk to identify the unique identifier associated witheach currency bill within the self-service kiosk; determine, based onthe identified unique identifier associated with each currency billwithin the self-service kiosk, whether the currency bills of the secondplurality of currency bills are present within the self-service kiosk;responsive to determining the currency bills of the second plurality ofcurrency bills are present within the self-service kiosk, executing aninstruction to credit an account of a user; and responsive todetermining the currency bills of the second plurality of currency billsare not present in the self-service kiosk, flagging the indication ofthe error as unauthorized activity and executing an instruction to lockthe account of the user.
 16. The one or more non-transitorycomputer-readable media of claim 15, further including instructionsthat, when executed, cause the computing device to: responsive toreceiving the indication of the error, activate one or more imagecapture devices of the self-service kiosk.
 17. The one or morenon-transitory computer-readable media of claim 16, further includinginstructions that, when executed, cause the computing device to:receive, from the one or more image capture devices, image data; andanalyze the image data, wherein determining whether the currency billsof the second plurality of currency bills are present within theself-service kiosk is further based on the analyzed image data.
 18. Theone or more non-transitory computer-readable media of claim 15, furtherincluding instructions that, when executed, cause the computing deviceto: identify, by the scanning device of the self-service kiosk and usingoptical character recognition, a denomination of each currency bill ofthe second plurality of currency bills, and wherein storing, in the billidentification database, the identified unique identifier associatedwith each currency bill of the second plurality of currency bills and anindication that the second plurality of currency bills are beingdispensed further includes storing the identified denomination.
 19. Theone or more non-transitory computer-readable media of claim 15, furtherincluding instructions that, when executed, cause the computing deviceto: scan, by the scanning device of the self-service kiosk, all currencybills in the storage area of the self-service kiosk to identify a uniqueidentifier associated with each currency bill and a denomination of eachcurrency bill; and store, by the bill identification database, theunique identifier and denomination of all currency bills in the storagearea of the self-service kiosk.
 20. The one or more non-transitorycomputer-readable media of claim 19, further including instructionsthat, when executed, cause the computing device to: capture additionalinformation associated with a current location, date and time for eachcurrency bill in the storage area of the self-service kiosk; and storingthe captured additional information in the bill identification database.21. The one or more non-transitory computer-readable media of claim 15,wherein the indication of an error includes an indication that thesecond plurality of currency bills did not dispense.